Skip to content

chore: bump gh-aw-firewall to v0.27.28#44467

Merged
pelikhan merged 3 commits into
mainfrom
copilot/run-awf-release-integrator-skill
Jul 9, 2026
Merged

chore: bump gh-aw-firewall to v0.27.28#44467
pelikhan merged 3 commits into
mainfrom
copilot/run-awf-release-integrator-skill

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Integrates gh-aw-firewall v0.27.28 (from v0.27.27). Release is refactoring + bug fixes only — no new CLI flags, no new AWF*MinVersion gates needed.

Changes

  • pkg/constants/version_constants.go — bump DefaultFirewallVersion to v0.27.28
  • pkg/workflow/schemas/awf-config.schema.json — sync upstream schema: enum array formatting normalization + arc-dind topology description now links to docs/arc-dind.md
  • .github/aw/actions-lock.json — add SHA digest pins for all 5 v0.27.28 images (agent, api-proxy, cli-proxy, squid, build-tools)
  • pkg/workflow/docker_firewall_pin_compile_test.go — update hardcoded digest assertions to v0.27.28 SHAs
  • .changeset/patch-bump-awf-v0-27-28.md — patch changeset
  • *.lock.yml — all 260 workflow lock files regenerated (make recompile × 2)

Release highlights (v0.27.28)

  • fix: tag-only image ref in rootless permission repair
  • fix: COPILOT_MODEL now validated after alias resolution, not before
  • refactor: config-assembly validators, API proxy OIDC setup, workdir-setup, port-spec parsing all split/consolidated
  • ci: guard added to prevent SUPPORTED_COPILOT_MODELS drift from pricing catalog


✨ PR Review Safe Output Test - Run 28996017246

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 82 AIC · ⌖ 31.4 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

Copilot AI and others added 2 commits July 9, 2026 04:21
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ock files

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@@ -1,171 +1,4 @@
{
"entries": {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot fix code that rewrites/sync this file to ensure that fields are stored.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in the latest commit. The root cause was that sync-action-pins used jq . which sorts keys alphabetically (putting containers before entries), conflicting with ActionCache.marshalSorted() which always emits entries first.

Changes:

  • Makefile sync-action-pins — updated to use jq '{entries: .entries} + if ... then {containers: .containers} else {} end' to preserve canonical section ordering
  • .github/aw/actions-lock.json — rewritten with entries before containers
  • pkg/actionpins/data/action_pins.json and pkg/workflow/data/action_pins.json — re-synced with correct ordering

TestActionsLockJSONFieldsAreSorted now passes for both sub-tests.

…and actions-lock.json

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan July 9, 2026 05:16
@pelikhan pelikhan added the smoke label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot Small failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results\n✅ GitHub MCP Testing\n✅ Web Fetch Testing\n✅ File Writing Testing\n✅ Bash Tool Testing\n❌ Build gh-aw\nOverall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini · 16.3 AIC · ⌖ 1.55 AIC · ⊞ 9.3K ·
Comment /smoke-gemini to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq 4.53.3
curl 8.5.0
gh 2.95.0
node 22.23.1
python3 3.11.15 (PyPy 7.3.23)
go 1.24.13
java 21.0.11
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 13 AIC · ⌖ 8.22 AIC · ⊞ 4.6K ·
Comment /smoke-test-tools to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Morning build hums on
Quiet branches hold their shape
Tests leave clean footprints

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · 5.54 AIC · ⌖ 3.4 AIC · ⊞ 10.9K ·
Comment /smoke-codex to run again

@pelikhan pelikhan marked this pull request as ready for review July 9, 2026 05:41
Copilot AI review requested due to automatic review settings July 9, 2026 05:41
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke tests:

  1. GitHub PR review tool: ✅
  2. mcpscripts GH PR list: ❌
  3. Serena symbol find: ❌
  4. Playwright navigation: ✅
  5. Web fetch curl test: ✅
  6. File creation test: ✅
  7. Discussion interaction: ❌
  8. Make build: ✅

Overall: FAIL
Cc @github-actions[bot]

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 33.4 AIC · ⌖ 2.94 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Summary:\n\n1. ✅ Test1\n2. ❌ Test2\n3. ❌ Test3\n4. ❌ Test4\n5. ❌ Test5\n6. ❌ Test6\n7. ❌ Test7\n8. ❌ Test8\n9. ❌ Test9\n10. ❌ Test10\n11. ❌ Test11\n12. ❌ Test12\n13. ❌ Test13\n14. ❌ Test14\n15. ❌ Test15\n\nOverall status: FAIL\nAuthor: @github-actions[bot]

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 24.9 AIC · ⌖ 3.06 AIC · ⊞ 17.9K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #44467 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke

chore: bump gh-aw-firewall to v0.27.28
fix: replace allocating string comparison with bytes.Equal in virtual_fs.go; [community] Update community contributions in README
1✅ 2✅ 3✅ 4✅ 5❌ 6✅ 7✅ 8✅ 9✅ 10❌ 11✅ 12✅ 13✅ 14❌ 15✅ 16✅
Overall: FAIL — author: app/copilot-swe-agent; assignees: pelikhan, Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 129.6 AIC · ⌖ 4.89 AIC · ⊞ 19.8K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Bots tap quiet keys
Builds bloom blue in midnight logs
Checks wake with dawn light

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 129.6 AIC · ⌖ 4.89 AIC · ⊞ 19.8K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke run §28996054925 completed; inline notes mark validated diff anchors.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 129.6 AIC · ⌖ 4.89 AIC · ⊞ 19.8K
Comment /smoke-copilot to run again
Add label smoke to run again

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps the embedded/default gh-aw-firewall (AWF) version from v0.27.27 to v0.27.28, and updates the repo’s pinned container digests, embedded schema, and regenerated workflow artifacts to match the new firewall release.

Changes:

  • Bump DefaultFirewallVersion to v0.27.28 and update compiled/golden fixtures to reflect the new AWF version.
  • Sync updated AWF config JSON schema text and update firewall container digest pins (including tests asserting digests).
  • Regenerate workflow lock artifacts and update the action/container lock JSON sources used for pinning.
Show a summary per file
File Description
pkg/constants/version_constants.go Bumps the default AWF version constant to v0.27.28.
pkg/workflow/schemas/awf-config.schema.json Updates embedded upstream schema text (incl. runner.topology description).
.github/aw/actions-lock.json Adds/updates pinned container digests for AWF 0.27.28 images.
pkg/actionpins/data/action_pins.json Syncs embedded action/container pin data (includes new 0.27.28 container digests).
pkg/workflow/data/action_pins.json Syncs workflow package’s embedded action/container pin data (includes new 0.27.28 container digests).
Makefile Adjusts sync-action-pins to only emit entries (+ containers when present).
pkg/workflow/docker_firewall_pin_compile_test.go Updates hardcoded digest assertions to the v0.27.28 SHAs.
.changeset/patch-bump-awf-v0-27-28.md Adds a patch changeset for the AWF bump and regenerated artifacts.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Updates golden output to reference AWF v0.27.28 and 0.27.28 images.
.github/workflows/example-permissions-warning.lock.yml Regenerated lock workflow with AWF v0.27.28 pins and updated container digests.
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerated lock workflow with AWF v0.27.28 pins and updated container digests.
.github/workflows/bot-detection.lock.yml Regenerated lock workflow with AWF v0.27.28 pins and updated container digests.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 36/273 changed files
  • Comments generated: 1
  • Review effort level: Low

@@ -738,7 +738,7 @@
"topology": {
"type": "string",
"enum": ["standard", "arc-dind"],
"description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF enables sysroot staging (a sysroot-stage init container copies the build-tools image into a named volume mounted at /host:rw on the agent) and emits a warning when RUNNER_TOOL_CACHE points under /opt (which is typically invisible to the DinD daemon). Other ARC/DinD settings such as container.dockerHostPathPrefix, dind.preStageDirs, and network.isolation are configured explicitly through their own fields."
"description": "Runner deployment topology. 'standard' (default) = GitHub-hosted VM or self-hosted runner with local Docker. 'arc-dind' = ARC (Actions Runner Controller) with Docker-in-Docker sidecar, where the runner and Docker daemon have separate filesystems. When set to 'arc-dind', AWF enables sysroot staging (a sysroot-stage init container copies the build-tools image into a named volume mounted at /host:rw on the agent) and emits a warning when RUNNER_TOOL_CACHE points under /opt (which is typically invisible to the DinD daemon). Other ARC/DinD settings such as container.dockerHostPathPrefix, dind.preStageDirs, and network.isolation are configured explicitly through their own fields. See docs/arc-dind.md for a complete guide."
@pelikhan pelikhan merged commit 7b20828 into main Jul 9, 2026
284 of 287 checks passed
@pelikhan pelikhan deleted the copilot/run-awf-release-integrator-skill branch July 9, 2026 05:46
@github-actions github-actions Bot mentioned this pull request Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100 — Excellent

Analyzed 2 test(s): 2 design, 0 implementation, 0 violation(s).

📊 Metrics (2 tests)
Metric Value
Analyzed 2 (Go: 2, JS: 0)
✅ Design 2 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 2 (100%)
Duplicate clusters 0
Inflation No
🚨 Violations 0
Test File Classification Issues
TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion pkg/workflow/docker_firewall_pin_compile_test.go:105 Design (Regression) None — fixture digest update
TestCompileWorkflow_BuildToolsImagePinnedForArcDind pkg/workflow/docker_firewall_pin_compile_test.go:182 Design (Regression) None — fixture digest update

Verdict

Passed. 0% implementation tests (threshold: 30%). No violations detected. Modified tests are focused regression tests with high behavioral value for container digest pinning guarantees (gh-aw#43307, gh-aw#44040).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 14.6 AIC · ⌖ 17.9 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. 0% implementation tests (threshold: 30%). No violations. Modified tests are focused regression tests with high behavioral value for container digest pinning guarantees.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: chore: bump gh-aw-firewall to v0.27.28

LGTM. This is a well-structured routine version bump.

Verified:

  • DefaultFirewallVersion correctly updated to v0.27.28 in pkg/constants/version_constants.go
  • All 5 image digests are consistent across actions-lock.json and docker_firewall_pin_compile_test.go:
    • agent: sha256:53225868...
    • api-proxy: sha256:9c409216...
    • cli-proxy: sha256:65f9b00a...
    • squid: sha256:41d20c77...
    • build-tools: sha256:4f982795...
  • No AWF*MinVersion gates need updating (release is refactor + bug fixes only, no new CLI flags)
  • Schema sync is cosmetic (enum array formatting + arc-dind description links to docs)
  • Changeset added and 260 lock files regenerated as expected

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 50.6 AIC · ⌖ 5.86 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean version bump — LGTM

All 5 v0.27.28 image digests are internally consistent across actions-lock.json, the test assertions in docker_firewall_pin_compile_test.go, and all 260 regenerated lock files. No stale v0.27.27 references remain in any added line. The double-recompile process was correctly followed across three commits. No actionable issues found.

🔎 Code quality review by PR Code Quality Reviewer · 135.9 AIC · ⌖ 6.42 AIC · ⊞ 5.4K
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /tdd and /codebase-design — this is a clean mechanical version bump; approving.

📋 Review Summary

What was reviewed

This PR bumps gh-aw-firewall from v0.27.27 → v0.27.28 (refactoring + bug fixes only, no new CLI flags or MinVersion gates).

Key observations

  • SHA consistency verified — all 5 image digests (agent, api-proxy, cli-proxy, squid, build-tools) are consistent across actions-lock.json, the test file assertions, and the 260 regenerated lock.yml files
  • Double-recompile protocol followedpkg/constants/version_constants.go documents make build && make recompile && make recompile and the PR description confirms make recompile × 2 was executed
  • Regression tests updateddocker_firewall_pin_compile_test.go hardcodes the new v0.27.28 SHAs and tests pinning for the default version, arc-dind topology, and the legacy v0.27.0 path
  • Schema syncawf-config.schema.json updates the arc-dind topology description to link docs/arc-dind.md, consistent with existing vocabulary
  • Changeset present — patch-level changeset file included

Positive highlights

  • The test structure is solid: separate test functions per scenario (default version, arc-dind, older pinned version), each with a clear Arrange/Act/Assert shape
  • Hardcoding expected SHAs directly in the test is the right call for this type of supply-chain pin regression — it makes drift immediately visible
  • Version constant comment with the ⚠️ IMPORTANT warning and exact make commands is excellent operational documentation

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 97.5 AIC · ⌖ 6.68 AIC · ⊞ 6.6K
Comment /matt to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants